2021-11-04 19:08:33 +03:00
|
|
|
module Hasura.RQL.DDL.Network
|
2023-02-15 13:25:09 +03:00
|
|
|
( checkForHostnameWithSuffixInAllowlistObject,
|
2021-11-04 19:08:33 +03:00
|
|
|
dropHostFromAllowList,
|
|
|
|
|
runAddHostToTLSAllowlist,
|
|
|
|
|
runDropHostFromTLSAllowlist,
|
|
|
|
|
)
|
|
|
|
|
where
|
2021-08-24 10:36:32 +03:00
|
|
|
|
|
|
|
|
import Data.Text (pack)
|
|
|
|
|
import Data.Text.Extended
|
|
|
|
|
import Hasura.Base.Error
|
|
|
|
|
import Hasura.EncJSON
|
|
|
|
|
import Hasura.Metadata.Class ()
|
|
|
|
|
import Hasura.Prelude
|
2022-04-27 16:57:28 +03:00
|
|
|
import Hasura.RQL.Types.Common
|
|
|
|
|
import Hasura.RQL.Types.Metadata
|
|
|
|
|
import Hasura.RQL.Types.Network
|
|
|
|
|
import Hasura.RQL.Types.SchemaCache.Build
|
2021-09-24 01:56:37 +03:00
|
|
|
|
2021-08-24 10:36:32 +03:00
|
|
|
runAddHostToTLSAllowlist ::
|
|
|
|
|
(QErrM m, CacheRWM m, MetadataM m) =>
|
|
|
|
|
TlsAllow ->
|
|
|
|
|
m EncJSON
|
|
|
|
|
runAddHostToTLSAllowlist tlsAllowListEntry@TlsAllow {..} = do
|
|
|
|
|
networkMetadata <- _metaNetwork <$> getMetadata
|
|
|
|
|
|
|
|
|
|
when (null taHost) $ do
|
|
|
|
|
throw400 BadRequest $ "key \"host\" cannot be empty"
|
|
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
when (checkForHostWithSuffixInTLSAllowlist taHost taSuffix (tlsList networkMetadata)) $ do
|
|
|
|
|
case taSuffix of
|
|
|
|
|
Nothing ->
|
|
|
|
|
throw400 AlreadyExists $
|
|
|
|
|
"the host " <> dquote (pack taHost) <> " already exists in the allowlist"
|
|
|
|
|
Just suffix ->
|
|
|
|
|
throw400 AlreadyExists $
|
|
|
|
|
"the host " <> dquote (pack taHost) <> " with suffix " <> dquote (pack suffix) <> " already exists in the allowlist"
|
2021-08-24 10:36:32 +03:00
|
|
|
|
|
|
|
|
withNewInconsistentObjsCheck $
|
server: Simplify `BuildOutputs`
A bunch of configurations are retrieved from the Metadata, then stored in the `BuildOutputs` structure, only to then be forwarded to the `SchemaCache`, with extremely little processing in between.
So this simplifies the build pipeline for some parts of the metadata: just construct those things from `Metadata` directly, and store them in the `SchemaCache` without any intermediate container.
Why did we have the detour via `BuildOutputs` in the first place? Parts of the Metadata (codified by `MetadataObjId`) can generate _metadata inconsistencies_ and/or _schema dependencies_, which are related.
- Metadata inconsistencies are warnings that we show to the user, indicating that there's something wrong with their configuration, and they have to fix it.
- Schema dependencies are an internal mechanism that allow us to build a consistent view of the world. For instance, if we have a relationship from DB tables `books` to `authors`, but the `authors` table is inconsistent (e.g. it doesn't exist in the DB), then we have schema dependencies indicating that. The job of `resolveDependencies` is to then drop the relationship, so that we can at least generate a legal GraphQL schema for `books`.
If we never generate a schema dependency for a certain fragment of Metadata, then there is no reason to call `resolveDependencies` on it, and so there is no reason to store it in `BuildOutputs`.
---
The starting point that allows this refactor is to apply Metadata defaults before it reaches `buildAndCollectInfo`, so that metadata-with-defaults can be used elsewhere.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6609
GitOrigin-RevId: df0c4a7ff9451e10e02a40bf26304b26584ba483
2022-11-15 15:02:55 +03:00
|
|
|
buildSchemaCache $
|
2021-08-24 10:36:32 +03:00
|
|
|
addHostToTLSAllowList tlsAllowListEntry
|
|
|
|
|
|
|
|
|
|
pure successMsg
|
|
|
|
|
where
|
|
|
|
|
tlsList nm = networkTlsAllowlist nm
|
|
|
|
|
|
|
|
|
|
runDropHostFromTLSAllowlist ::
|
|
|
|
|
(QErrM m, CacheRWM m, MetadataM m) =>
|
|
|
|
|
DropHostFromTLSAllowlist ->
|
|
|
|
|
m EncJSON
|
2023-02-15 13:25:09 +03:00
|
|
|
runDropHostFromTLSAllowlist (DropHostFromTLSAllowlist hostname maybeSuffix) = do
|
2021-08-24 10:36:32 +03:00
|
|
|
networkMetadata <- _metaNetwork <$> getMetadata
|
|
|
|
|
|
|
|
|
|
when (null hostname) $ do
|
|
|
|
|
throw400 BadRequest $ "hostname cannot be empty"
|
|
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
unless (checkForHostWithSuffixInTLSAllowlist hostname maybeSuffix (networkTlsAllowlist networkMetadata)) $ do
|
|
|
|
|
case maybeSuffix of
|
|
|
|
|
Nothing ->
|
|
|
|
|
throw400 NotExists $
|
|
|
|
|
"the host " <> dquote (pack hostname) <> " isn't present in the allowlist"
|
|
|
|
|
Just suffix ->
|
|
|
|
|
throw400 NotExists $
|
|
|
|
|
"the host " <> dquote (pack hostname) <> " with suffix " <> dquote (pack suffix) <> " isn't present in the allowlist"
|
2021-08-24 10:36:32 +03:00
|
|
|
|
|
|
|
|
withNewInconsistentObjsCheck $
|
|
|
|
|
buildSchemaCache $
|
2023-02-15 13:25:09 +03:00
|
|
|
dropHostFromAllowList hostname maybeSuffix
|
2021-08-24 10:36:32 +03:00
|
|
|
|
|
|
|
|
pure successMsg
|
|
|
|
|
|
|
|
|
|
addHostToTLSAllowList :: TlsAllow -> MetadataModifier
|
|
|
|
|
addHostToTLSAllowList tlsaObj = MetadataModifier $ \m ->
|
|
|
|
|
m {_metaNetwork = Network $ (tlsList m) ++ [tlsaObj]}
|
|
|
|
|
where
|
|
|
|
|
tlsList md = networkTlsAllowlist (_metaNetwork md)
|
|
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
dropHostFromAllowList :: String -> Maybe String -> MetadataModifier
|
|
|
|
|
dropHostFromAllowList host maybeSuffix = MetadataModifier $ \m ->
|
2021-08-24 10:36:32 +03:00
|
|
|
m {_metaNetwork = Network $ filteredList m}
|
|
|
|
|
where
|
|
|
|
|
tlsList md = networkTlsAllowlist (_metaNetwork md)
|
|
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
filteredList md = filter (not . checkForHostnameWithSuffixInAllowlistObject host maybeSuffix) (tlsList md)
|
2021-08-24 10:36:32 +03:00
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
checkForHostnameWithSuffixInAllowlistObject :: String -> Maybe String -> TlsAllow -> Bool
|
|
|
|
|
checkForHostnameWithSuffixInAllowlistObject host maybeSuffix tlsa = host == (taHost tlsa) && maybeSuffix == (taSuffix tlsa)
|
2021-08-24 10:36:32 +03:00
|
|
|
|
2023-02-15 13:25:09 +03:00
|
|
|
checkForHostWithSuffixInTLSAllowlist :: String -> Maybe String -> [TlsAllow] -> Bool
|
|
|
|
|
checkForHostWithSuffixInTLSAllowlist host maybeSuffix tlsAllowList =
|
|
|
|
|
any (checkForHostnameWithSuffixInAllowlistObject host maybeSuffix) tlsAllowList
|
